CBS This Morning

Hospital explains decision to pay ransom to hackers

LOS ANGELES -- The CEO of Hollywood Presbyterian Medical Center says the hospital decided to pay ransom to hackers who were holding its computer network hostage because that was the "quickest and most efficient way" to regain control of the system.

The hospital paid the ransom using the digital currencybitcoins, in an amount worth about $17,000, after falling victim to what's commonly called "ransomware" - where hackers seize control of a computer system and threaten to misuse or destroy data if they're not paid. In this case, the hackers encrypted the hospital's data and demanded payment in exchange for a digital key to unlock it.

CEO Allen Stefanek issued a statement about the incident, saying: "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."

Stefanek said the infiltration at Hollywood Presbyterian was first noticed on Feb. 5, and that its system was fully functioning again by Monday, 10 days later.

Some security experts were surprised that the hospital went public.

"Unfortunately, a lot of companies don't tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals," said Adam Kujawa, Head of Malware Intelligence for Malwarebytes, a San Jose-based company that recently released anti-ransomware software. "I know from the experiences I hear about from various industry professionals that it's a pretty common practice to just hand over the cash."

The hospital did not say whether anyone in law enforcement or the technology industry had recommended it pay off the hackers, and it quickly obtain the digital key used to be able to access its data again.

Computer security experts normally recommend people not pay the ransom, though at times law enforcement agencies suggest they do, Kujawa said.

The FBI said it is investigating the ransomware attack, but provided no details beyond that.

CBS News correspondent Carter Evans reports that according to a source familiar with the investigation, the hospital paid the ransom before contacting law enforcement.

"If they decided to pay the ransom, it probably means that they didn't have very good backups, they weren't able to recover the data, and that the data would have been lost if they didn't pay the ransom," Dave Kennedy, CEO of the information security firm TrustedSec, told CBS News.

Neither law enforcement nor the hospital gave any indication of who might have been behind the attack or whether there are any suspects.

The hacking tactic is growing fast against both individuals and institutions, but it's difficult to say exactly how fast, and even tougher to say how many pay up.

During 2013, the number of attacks each month rose from 100,000 in January to 600,000 in December, according to a 2014 report by Symantec, the maker of antivirus software.

A report from Intel Corp.'s McAfee Labs released in November said the number of ransomware attacks is expected to grow even more in 2016 because of increased sophistication in the software used to do it. The company estimates that on average, 3 percent of users with infected machines pay a ransom.

Bitcoin, the online currency that is hard to trace, is becoming the preferred way for hackers collect a ransom, FBI Special Agent Thomas Grasso, who is part of the government's efforts to fight malicious software including ransomware, told The Associated Press last year.

Stefanek also pointed out in his statement, "The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000."

Stefanek said patient care at Hollywood Presbyterian was not affected by the hacking, and there is no evidence any patient data was compromised. The 434-bed hospital in the Los Feliz area of Los Angeles was founded in 1924, and was sold to CHA Medical Center of South Korea in 2004.